Lines Matching +full:csr +full:- +full:2 +full:l
18 .\" Set up some character translations and predefined strings. \*(-- will
19 .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
24 .tr \(*W-
27 . ds -- \(*W-
29 . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
30 . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
31 . ds L" ""
37 . ds -- \|\(em\|
39 . ds L" ``
62 . tm Index:\\$1\t\\n%\t"\\$2"
64 . if !\nF==2 \{\
66 . nr F 2
71 .\" Fear. Run. Save yourself. No user-serviceable parts.
81 . ds #H ((1u-(\\\\n(.fu%2u))*.13m)
97 . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
98 . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
99 . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
100 . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
101 . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
102 . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
104 . \" troff and (daisy-wheel) nroff accents
123 . ds d- d\h'-1'\(ga
124 . ds D- D\h'-1'\(hy
133 .IX Title "OPENSSL-CMP 1ossl"
134 .TH OPENSSL-CMP 1ossl "2023-09-22" "3.0.11" "OpenSSL"
140 openssl\-cmp \- Certificate Management Protocol (CMP, RFC 4210) application
144 [\fB\-help\fR]
145 [\fB\-config\fR \fIfilename\fR]
146 [\fB\-section\fR \fInames\fR]
147 [\fB\-verbosity\fR \fIlevel\fR]
151 [\fB\-cmd\fR \fIir|cr|kur|p10cr|rr|genm\fR]
152 [\fB\-infotype\fR \fIname\fR]
153 [\fB\-geninfo\fR \fIOID:int:N\fR]
157 [\fB\-newkey\fR \fIfilename\fR|\fIuri\fR]
158 [\fB\-newkeypass\fR \fIarg\fR]
159 [\fB\-subject\fR \fIname\fR]
160 [\fB\-issuer\fR \fIname\fR]
161 [\fB\-days\fR \fInumber\fR]
162 [\fB\-reqexts\fR \fIname\fR]
163 [\fB\-sans\fR \fIspec\fR]
164 [\fB\-san_nodefault\fR]
165 [\fB\-policies\fR \fIname\fR]
166 [\fB\-policy_oids\fR \fInames\fR]
167 [\fB\-policy_oids_critical\fR]
168 [\fB\-popo\fR \fInumber\fR]
169 [\fB\-csr\fR \fIfilename\fR]
170 [\fB\-out_trusted\fR \fIfilenames\fR|\fIuris\fR]
171 [\fB\-implicit_confirm\fR]
172 [\fB\-disable_confirm\fR]
173 [\fB\-certout\fR \fIfilename\fR]
174 [\fB\-chainout\fR \fIfilename\fR]
178 [\fB\-oldcert\fR \fIfilename\fR|\fIuri\fR]
179 [\fB\-revreason\fR \fInumber\fR]
183 [\fB\-server\fR \fI[http[s]://][userinfo@]host[:port][/path][?query][#fragment]\fR]
184 [\fB\-proxy\fR \fI[http[s]://][userinfo@]host[:port][/path][?query][#fragment]\fR]
185 [\fB\-no_proxy\fR \fIaddresses\fR]
186 [\fB\-recipient\fR \fIname\fR]
187 [\fB\-path\fR \fIremote_path\fR]
188 [\fB\-keep_alive\fR \fIvalue\fR]
189 [\fB\-msg_timeout\fR \fIseconds\fR]
190 [\fB\-total_timeout\fR \fIseconds\fR]
194 [\fB\-trusted\fR \fIfilenames\fR|\fIuris\fR]
195 [\fB\-untrusted\fR \fIfilenames\fR|\fIuris\fR]
196 [\fB\-srvcert\fR \fIfilename\fR|\fIuri\fR]
197 [\fB\-expect_sender\fR \fIname\fR]
198 [\fB\-ignore_keyusage\fR]
199 [\fB\-unprotected_errors\fR]
200 [\fB\-extracertsout\fR \fIfilename\fR]
201 [\fB\-cacertsout\fR \fIfilename\fR]
205 [\fB\-ref\fR \fIvalue\fR]
206 [\fB\-secret\fR \fIarg\fR]
207 [\fB\-cert\fR \fIfilename\fR|\fIuri\fR]
208 [\fB\-own_trusted\fR \fIfilenames\fR|\fIuris\fR]
209 [\fB\-key\fR \fIfilename\fR|\fIuri\fR]
210 [\fB\-keypass\fR \fIarg\fR]
211 [\fB\-digest\fR \fIname\fR]
212 [\fB\-mac\fR \fIname\fR]
213 [\fB\-extracerts\fR \fIfilenames\fR|\fIuris\fR]
214 [\fB\-unprotected_requests\fR]
218 [\fB\-certform\fR \fIPEM|DER\fR]
219 [\fB\-keyform\fR \fIPEM|DER|P12|ENGINE\fR]
220 [\fB\-otherpass\fR \fIarg\fR]
221 [\fB\-engine\fR \fIid\fR]
222 [\fB\-provider\fR \fIname\fR]
223 [\fB\-provider\-path\fR \fIpath\fR]
224 [\fB\-propquery\fR \fIpropq\fR]
228 [\fB\-rand\fR \fIfiles\fR]
229 [\fB\-writerand\fR \fIfile\fR]
231 \&\s-1TLS\s0 connection options:
233 [\fB\-tls_used\fR]
234 [\fB\-tls_cert\fR \fIfilename\fR|\fIuri\fR]
235 [\fB\-tls_key\fR \fIfilename\fR|\fIuri\fR]
236 [\fB\-tls_keypass\fR \fIarg\fR]
237 [\fB\-tls_extra\fR \fIfilenames\fR|\fIuris\fR]
238 [\fB\-tls_trusted\fR \fIfilenames\fR|\fIuris\fR]
239 [\fB\-tls_host\fR \fIname\fR]
241 Client-side debugging options:
243 [\fB\-batch\fR]
244 [\fB\-repeat\fR \fInumber\fR]
245 [\fB\-reqin\fR \fIfilenames\fR]
246 [\fB\-reqin_new_tid\fR]
247 [\fB\-reqout\fR \fIfilenames\fR]
248 [\fB\-rspin\fR \fIfilenames\fR]
249 [\fB\-rspout\fR \fIfilenames\fR]
250 [\fB\-use_mock_srv\fR]
254 [\fB\-port\fR \fInumber\fR]
255 [\fB\-max_msgs\fR \fInumber\fR]
256 [\fB\-srv_ref\fR \fIvalue\fR]
257 [\fB\-srv_secret\fR \fIarg\fR]
258 [\fB\-srv_cert\fR \fIfilename\fR|\fIuri\fR]
259 [\fB\-srv_key\fR \fIfilename\fR|\fIuri\fR]
260 [\fB\-srv_keypass\fR \fIarg\fR]
261 [\fB\-srv_trusted\fR \fIfilenames\fR|\fIuris\fR]
262 [\fB\-srv_untrusted\fR \fIfilenames\fR|\fIuris\fR]
263 [\fB\-rsp_cert\fR \fIfilename\fR|\fIuri\fR]
264 [\fB\-rsp_extracerts\fR \fIfilenames\fR|\fIuris\fR]
265 [\fB\-rsp_capubs\fR \fIfilenames\fR|\fIuris\fR]
266 [\fB\-poll_count\fR \fInumber\fR]
267 [\fB\-check_after\fR \fInumber\fR]
268 [\fB\-grant_implicitconf\fR]
269 [\fB\-pkistatus\fR \fInumber\fR]
270 [\fB\-failure\fR \fInumber\fR]
271 [\fB\-failurebits\fR \fInumber\fR]
272 [\fB\-statusstring\fR \fIarg\fR]
273 [\fB\-send_error\fR]
274 [\fB\-send_unprotected\fR]
275 [\fB\-send_unprot_err\fR]
276 [\fB\-accept_unprotected\fR]
277 [\fB\-accept_unprot_err\fR]
278 [\fB\-accept_raverified\fR]
280 Certificate verification options, for both \s-1CMP\s0 and \s-1TLS:\s0
282 [\fB\-allow_proxy_certs\fR]
283 [\fB\-attime\fR \fItimestamp\fR]
284 [\fB\-no_check_time\fR]
285 [\fB\-check_ss_sig\fR]
286 [\fB\-crl_check\fR]
287 [\fB\-crl_check_all\fR]
288 [\fB\-explicit_policy\fR]
289 [\fB\-extended_crl\fR]
290 [\fB\-ignore_critical\fR]
291 [\fB\-inhibit_any\fR]
292 [\fB\-inhibit_map\fR]
293 [\fB\-partial_chain\fR]
294 [\fB\-policy\fR \fIarg\fR]
295 [\fB\-policy_check\fR]
296 [\fB\-policy_print\fR]
297 [\fB\-purpose\fR \fIpurpose\fR]
298 [\fB\-suiteB_128\fR]
299 [\fB\-suiteB_128_only\fR]
300 [\fB\-suiteB_192\fR]
301 [\fB\-trusted_first\fR]
302 [\fB\-no_alt_chains\fR]
303 [\fB\-use_deltas\fR]
304 [\fB\-auth_level\fR \fInum\fR]
305 [\fB\-verify_depth\fR \fInum\fR]
306 [\fB\-verify_email\fR \fIemail\fR]
307 [\fB\-verify_hostname\fR \fIhostname\fR]
308 [\fB\-verify_ip\fR \fIip\fR]
309 [\fB\-verify_name\fR \fIname\fR]
310 [\fB\-x509_strict\fR]
311 [\fB\-issuer_checks\fR]
315 Management Protocol (\s-1CMP\s0) as defined in \s-1RFC4210.\s0
316 It can be used to request certificates from a \s-1CA\s0 server,
318 request certificates to be revoked, and perform other types of \s-1CMP\s0 requests.
321 .IP "\fB\-help\fR" 4
322 .IX Item "-help"
324 .IP "\fB\-config\fR \fIfilename\fR" 4
325 .IX Item "-config filename"
329 .IP "\fB\-section\fR \fInames\fR" 4
330 .IX Item "-section names"
331 Section(s) to use within config file defining \s-1CMP\s0 options.
336 (where in the latter case the whole argument must be enclosed in \*(L"...\*(R").
339 section (as far as present) can provide per-option fallback values.
340 .IP "\fB\-verbosity\fR \fIlevel\fR" 4
341 .IX Item "-verbosity level"
343 0 = \s-1EMERG, 1\s0 = \s-1ALERT, 2\s0 = \s-1CRIT, 3\s0 = \s-1ERR, 4\s0 = \s-1WARN, 5\s0 = \s-1NOTE,
344 6\s0 = \s-1INFO, 7\s0 = \s-1DEBUG, 8\s0 = \s-1TRACE.\s0
345 Defaults to 6 = \s-1INFO.\s0
348 .IP "\fB\-cmd\fR \fIir|cr|kur|p10cr|rr|genm\fR" 4
349 .IX Item "-cmd ir|cr|kur|p10cr|rr|genm"
350 \&\s-1CMP\s0 command to execute.
353 .IP "ir \ \- Initialization Request" 8
354 .IX Item "ir - Initialization Request"
356 .IP "cr \ \- Certificate Request" 8
357 .IX Item "cr - Certificate Request"
358 .IP "p10cr \- PKCS#10 Certification Request (for legacy support)" 8
359 .IX Item "p10cr - PKCS#10 Certification Request (for legacy support)"
360 .IP "kur \ \ \- Key Update Request" 8
361 .IX Item "kur - Key Update Request"
362 .IP "rr \ \- Revocation Request" 8
363 .IX Item "rr - Revocation Request"
364 .IP "genm \- General Message" 8
365 .IX Item "genm - General Message"
370 \&\fBir\fR requests initialization of an end entity into a \s-1PKI\s0 hierarchy
374 initialized to the \s-1PKI\s0 hierarchy.
377 but using legacy PKCS#10 \s-1CSR\s0 format.
386 \&\s-1ITAV\s0 \fBinfoType\fRs is printed to stdout.
388 .IP "\fB\-infotype\fR \fIname\fR" 4
389 .IX Item "-infotype name"
392 .IP "\fB\-geninfo\fR \fIOID:int:N\fR" 4
393 .IX Item "-geninfo OID:int:N"
394 generalInfo integer values to place in request PKIHeader with given \s-1OID,\s0
398 .IP "\fB\-newkey\fR \fIfilename\fR|\fIuri\fR" 4
399 .IX Item "-newkey filename|uri"
401 Defaults to the public key in the PKCS#10 \s-1CSR\s0 given with the \fB\-csr\fR option,
406 Unless \fB\-cmd\fR \fIp10cr\fR, \fB\-popo\fR \fI\-1\fR, or \fB\-popo\fR \fI0\fR is given, the
407 private key will be needed as well to provide the proof of possession (\s-1POPO\s0),
408 where the \fB\-key\fR option may provide a fallback.
409 .IP "\fB\-newkeypass\fR \fIarg\fR" 4
410 .IX Item "-newkeypass arg"
411 Pass phrase source for the key given with the \fB\-newkey\fR option.
415 \&\fBopenssl\-passphrase\-options\fR\|(1).
416 .IP "\fB\-subject\fR \fIname\fR" 4
417 .IX Item "-subject name"
418 X509 Distinguished Name (\s-1DN\s0) of subject to use in the requested certificate
420 If the NULL-DN (\f(CW"/"\fR) is given then no subject is placed in the template.
421 Default is the subject \s-1DN\s0 of any PKCS#10 \s-1CSR\s0 given with the \fB\-csr\fR option.
422 For \s-1KUR,\s0 a further fallback is the subject \s-1DN\s0
423 of the reference certificate (see \fB\-oldcert\fR) if provided.
424 This fallback is used for \s-1IR\s0 and \s-1CR\s0 only if no SANs are set.
426 If provided and neither \fB\-cert\fR nor \fB\-oldcert\fR is given,
427 the subject \s-1DN\s0 is used as fallback sender of outgoing \s-1CMP\s0 messages.
432 Giving a single \f(CW\*(C`/\*(C'\fR will lead to an empty sequence of RDNs (a NULL-DN).
433 Multi-valued RDNs can be formed by placing a \f(CW\*(C`+\*(C'\fR character instead of a \f(CW\*(C`/…
438 .IP "\fB\-issuer\fR \fIname\fR" 4
439 .IX Item "-issuer name"
440 X509 issuer Distinguished Name (\s-1DN\s0) of the \s-1CA\s0 server
441 to place in the requested certificate template in \s-1IR/CR/KUR.\s0
442 If the NULL-DN (\f(CW"/"\fR) is given then no issuer is placed in the template.
444 If provided and neither \fB\-recipient\fR nor \fB\-srvcert\fR is given,
445 the issuer \s-1DN\s0 is used as fallback recipient of outgoing \s-1CMP\s0 messages.
448 For details see the description of the \fB\-subject\fR option.
449 .IP "\fB\-days\fR \fInumber\fR" 4
450 .IX Item "-days number"
455 .IP "\fB\-reqexts\fR \fIname\fR" 4
456 .IX Item "-reqexts name"
458 If the \fB\-csr\fR option is present, these extensions augment the extensions
459 contained the given PKCS#10 \s-1CSR,\s0 overriding any extensions with same OIDs.
460 .IP "\fB\-sans\fR \fIspec\fR" 4
461 .IX Item "-sans spec"
462 One or more \s-1IP\s0 addresses, \s-1DNS\s0 names, or URIs separated by commas or whitespace
463 (where in the latter case the whole argument must be enclosed in \*(L"...\*(R")
464 to add as Subject Alternative Name(s) (\s-1SAN\s0) certificate request extension.
465 If the special element \*(L"critical\*(R" is given the SANs are flagged as critical.
466 Cannot be used if any Subject Alternative Name extension is set via \fB\-reqexts\fR.
467 .IP "\fB\-san_nodefault\fR" 4
468 .IX Item "-san_nodefault"
469 When Subject Alternative Names are not given via \fB\-sans\fR
470 nor defined via \fB\-reqexts\fR,
471 they are copied by default from the reference certificate (see \fB\-oldcert\fR).
472 This can be disabled by giving the \fB\-san_nodefault\fR option.
473 .IP "\fB\-policies\fR \fIname\fR" 4
474 .IX Item "-policies name"
477 This option cannot be used together with \fB\-policy_oids\fR.
478 .IP "\fB\-policy_oids\fR \fInames\fR" 4
479 .IX Item "-policy_oids names"
480 One or more \s-1OID\s0(s), separated by commas and/or whitespace
481 (where in the latter case the whole argument must be enclosed in \*(L"...\*(R")
483 This option cannot be used together with \fB\-policies\fR.
484 .IP "\fB\-policy_oids_critical\fR" 4
485 .IX Item "-policy_oids_critical"
486 Flag the policies given with \fB\-policy_oids\fR as critical.
487 .IP "\fB\-popo\fR \fInumber\fR" 4
488 .IX Item "-popo number"
489 Proof-of-possession (\s-1POPO\s0) method to use for \s-1IR/CR/KUR\s0; values: \f(CW\*(C`\-1\*(C'\fR…
490 \&\f(CW\*(C`\-1\*(C'\fR = \s-1NONE,\s0 \f(CW0\fR = \s-1RAVERIFIED,\s0 \f(CW1\fR = \s-1SIGNATURE\s0 …
492 Note that a signature-based \s-1POPO\s0 can only be produced if a private key
493 is provided via the \fB\-newkey\fR or \fB\-key\fR options.
494 .IP "\fB\-csr\fR \fIfilename\fR" 4
495 .IX Item "-csr filename"
496 PKCS#10 \s-1CSR\s0 in \s-1PEM\s0 or \s-1DER\s0 format containing a certificate request.
497 With \fB\-cmd\fR \fIp10cr\fR it is used directly in a legacy P10CR message.
499 When used with \fB\-cmd\fR \fIir\fR, \fIcr\fR, or \fIkur\fR,
500 it is transformed into the respective regular \s-1CMP\s0 request.
501 In this case, a private key must be provided (with \fB\-newkey\fR or \fB\-key\fR)
502 for the proof of possession (unless \fB\-popo\fR \fI\-1\fR or \fB\-popo\fR \fI0\fR is used)
504 (rather than taking over the public key contained in the PKCS#10 \s-1CSR\s0).
506 PKCS#10 \s-1CSR\s0 input may also be used with \fB\-cmd\fR \fIrr\fR
509 .IP "\fB\-out_trusted\fR \fIfilenames\fR|\fIuris\fR" 4
510 .IX Item "-out_trusted filenames|uris"
515 (where in the latter case the whole argument must be enclosed in \*(L"...\*(R").
519 \&\fB\-verify_hostname\fR, \fB\-verify_ip\fR, and \fB\-verify_email\fR
521 .IP "\fB\-implicit_confirm\fR" 4
522 .IX Item "-implicit_confirm"
524 .IP "\fB\-disable_confirm\fR" 4
525 .IX Item "-disable_confirm"
529 \&\fB\s-1WARNING:\s0\fR This leads to behavior violating \s-1RFC 4210.\s0
530 .IP "\fB\-certout\fR \fIfilename\fR" 4
531 .IX Item "-certout filename"
533 .IP "\fB\-chainout\fR \fIfilename\fR" 4
534 .IX Item "-chainout filename"
538 .IP "\fB\-oldcert\fR \fIfilename\fR|\fIuri\fR" 4
539 .IX Item "-oldcert filename|uri"
540 The certificate to be updated (i.e., renewed or re-keyed) in Key Update Request
541 (\s-1KUR\s0) messages or to be revoked in Revocation Request (\s-1RR\s0) messages.
542 For \s-1KUR\s0 the certificate to be updated defaults to \fB\-cert\fR,
544 For \s-1RR\s0 the certificate to be revoked can also be specified using \fB\-csr\fR.
547 deriving default subject \s-1DN\s0 and Subject Alternative Names and the
548 default issuer entry in the requested certificate template of an \s-1IR/CR/KUR.\s0
550 Its subject is used as sender of outgoing messages if \fB\-cert\fR is not given.
551 Its issuer is used as default recipient in \s-1CMP\s0 message headers
552 if neither \fB\-recipient\fR, \fB\-srvcert\fR, nor \fB\-issuer\fR is given.
553 .IP "\fB\-revreason\fR \fInumber\fR" 4
554 .IX Item "-revreason number"
555 Set CRLReason to be included in revocation request (\s-1RR\s0); values: \f(CW0\fR..\f(CW10\fR
556 or \f(CW\*(C`\-1\*(C'\fR for none (which is the default).
558 Reason numbers defined in \s-1RFC 5280\s0 are:
564 \& cACompromise (2),
569 \& \-\- value 7 is not used
577 .IP "\fB\-server\fR \fI[http[s]://][userinfo@]host[:port][/path][?query][#fragment]\fR" 4
578 .IX Item "-server [http[s]://][userinfo@]host[:port][/path][?query][#fragment]"
579 The \s-1DNS\s0 hostname or \s-1IP\s0 address and optionally port
580 of the \s-1CMP\s0 server to connect to using \s-1HTTP\s0(S).
581 This option excludes \fI\-port\fR and \fI\-use_mock_srv\fR.
582 It is ignored if \fI\-rspin\fR is given with enough filename arguments.
584 The scheme \f(CW\*(C`https\*(C'\fR may be given only if the \fB\-tls_used\fR option is used.
588 If a path is included it provides the default value for the \fB\-path\fR option.
589 .IP "\fB\-proxy\fR \fI[http[s]://][userinfo@]host[:port][/path][?query][#fragment]\fR" 4
590 .IX Item "-proxy [http[s]://][userinfo@]host[:port][/path][?query][#fragment]"
591 The \s-1HTTP\s0(S) proxy server to use for reaching the \s-1CMP\s0 server unless \fB\-no_proxy\fR
594 …CW\*(C`http://\*(C'\fR or \f(CW\*(C`https://\*(C'\fR prefix is ignored (note that \s-1TLS\s0 may be
595 selected by \fB\-tls_used\fR), as well as any path, userinfo, and query, and fragment
598 in case no \s-1TLS\s0 is used, otherwise \f(CW\*(C`https_proxy\*(C'\fR if set, else \f(CW\*(C`HTTPS…
599 This option is ignored if \fI\-server\fR is not given.
600 .IP "\fB\-no_proxy\fR \fIaddresses\fR" 4
601 .IX Item "-no_proxy addresses"
602 List of \s-1IP\s0 addresses and/or \s-1DNS\s0 names of servers
603 not to use an \s-1HTTP\s0(S) proxy for, separated by commas and/or whitespace
604 (where in the latter case the whole argument must be enclosed in \*(L"...\*(R").
606 This option is ignored if \fI\-server\fR is not given.
607 .IP "\fB\-recipient\fR \fIname\fR" 4
608 .IX Item "-recipient name"
609 Distinguished Name (\s-1DN\s0) to use in the recipient field of \s-1CMP\s0 request message
610 headers, i.e., the \s-1CMP\s0 server (usually the addressed \s-1CA\s0).
612 The recipient field in the header of a \s-1CMP\s0 message is mandatory.
614 the subject of the \s-1CMP\s0 server certificate given with the \fB\-srvcert\fR option,
615 the \fB\-issuer\fR option,
616 the issuer of the certificate given with the \fB\-oldcert\fR option,
617 the issuer of the \s-1CMP\s0 client certificate (\fB\-cert\fR option),
618 as far as any of those is present, else the NULL-DN as last resort.
621 For details see the description of the \fB\-subject\fR option.
622 .IP "\fB\-path\fR \fIremote_path\fR" 4
623 .IX Item "-path remote_path"
624 \&\s-1HTTP\s0 path at the \s-1CMP\s0 server (aka \s-1CMP\s0 alias) to use for \s-1POST\s0 requests.
625 Defaults to any path given with \fB\-server\fR, else \f(CW"/"\fR.
626 .IP "\fB\-keep_alive\fR \fIvalue\fR" 4
627 .IX Item "-keep_alive value"
628 If the given value is 0 then \s-1HTTP\s0 connections are not kept open
629 after receiving a response, which is the default behavior for \s-1HTTP 1.0.\s0
630 If the value is 1 or 2 then persistent connections are requested.
631 If the value is 2 then persistent connections are required,
634 .IP "\fB\-msg_timeout\fR \fIseconds\fR" 4
635 .IX Item "-msg_timeout seconds"
636 Number of seconds a \s-1CMP\s0 request-response message round trip
639 Default is to use the \fB\-total_timeout\fR setting.
640 .IP "\fB\-total_timeout\fR \fIseconds\fR" 4
641 .IX Item "-total_timeout seconds"
648 .IP "\fB\-trusted\fR \fIfilenames\fR|\fIuris\fR" 4
649 .IX Item "-trusted filenames|uris"
651 when validating signature-based protection of \s-1CMP\s0 response messages.
652 This option is ignored if the \fB\-srvcert\fR option is given as well.
653 It provides more flexibility than \fB\-srvcert\fR because the \s-1CMP\s0 protection
657 If none of \fB\-trusted\fR, \fB\-srvcert\fR, and \fB\-secret\fR is given, message validation
658 errors will be thrown unless \fB\-unprotected_errors\fR permits an exception.
661 (where in the latter case the whole argument must be enclosed in \*(L"...\*(R").
665 \&\fB\-verify_hostname\fR, \fB\-verify_ip\fR, and \fB\-verify_email\fR
667 .IP "\fB\-untrusted\fR \fIfilenames\fR|\fIuris\fR" 4
668 .IX Item "-untrusted filenames|uris"
669 Non-trusted intermediate \s-1CA\s0 certificate(s).
670 Any extra certificates given with the \fB\-cert\fR option are appended to it.
672 for the own \s-1CMP\s0 signer certificate (to include in the extraCerts field of
673 request messages) and for the \s-1TLS\s0 client certificate (if \s-1TLS\s0 is enabled)
675 when validating server certificates (checking signature-based
676 \&\s-1CMP\s0 message protection) and when validating newly enrolled certificates.
680 .IP "\fB\-srvcert\fR \fIfilename\fR|\fIuri\fR" 4
681 .IX Item "-srvcert filename|uri"
682 The specific \s-1CMP\s0 server certificate to expect and directly trust (even if it is
683 expired) when verifying signature-based protection of \s-1CMP\s0 response messages.
684 This pins the accepted server and results in ignoring the \fB\-trusted\fR option.
687 as default value for the recipient of \s-1CMP\s0 requests
688 and as default value for the expected sender of \s-1CMP\s0 responses.
689 .IP "\fB\-expect_sender\fR \fIname\fR" 4
690 .IX Item "-expect_sender name"
691 Distinguished Name (\s-1DN\s0) expected in the sender field of incoming \s-1CMP\s0 messages.
692 Defaults to the subject \s-1DN\s0 of the pinned \fB\-srvcert\fR, if any.
695 \&\s-1CMP\s0 message signer, and attackers are not able to use arbitrary certificates
696 of a trusted \s-1PKI\s0 hierarchy to fraudulently pose as a \s-1CMP\s0 server.
697 Note that this option gives slightly more freedom than setting the \fB\-srvcert\fR,
702 For details see the description of the \fB\-subject\fR option.
703 .IP "\fB\-ignore_keyusage\fR" 4
704 .IX Item "-ignore_keyusage"
705 Ignore key usage restrictions in \s-1CMP\s0 signer certificates when validating
706 signature-based protection of incoming \s-1CMP\s0 messages.
707 By default, \f(CW\*(C`digitalSignature\*(C'\fR must be allowed by \s-1CMP\s0 signer certificates.
708 .IP "\fB\-unprotected_errors\fR" 4
709 .IX Item "-unprotected_errors"
716 negative certificate responses (\s-1IP/CP/KUP\s0)
718 negative revocation responses (\s-1RP\s0)
724 \&\fB\s-1WARNING:\s0\fR This setting leads to unspecified behavior and it is meant
726 \&\s-1RFC 4210,\s0 e.g.:
730 \&\*(L"There \s-1MAY\s0 be cases in which the PKIProtection \s-1BIT STRING\s0 is deliberately not
731 used to protect a message [...] because other protection, external to \s-1PKIX,\s0 will
734 section 5.3.21 is clear on ErrMsgContent: \*(L"The \s-1CA MUST\s0 always sign it
741 .IP "\fB\-extracertsout\fR \fIfilename\fR" 4
742 .IX Item "-extracertsout filename"
745 .IP "\fB\-cacertsout\fR \fIfilename\fR" 4
746 .IX Item "-cacertsout filename"
747 The file where to save any \s-1CA\s0 certificates contained in the caPubs field of
748 the last received certificate response (i.e., \s-1IP, CP,\s0 or \s-1KUP\s0) message.
751 .IP "\fB\-ref\fR \fIvalue\fR" 4
752 .IX Item "-ref value"
754 if no sender name can be determined from the \fB\-cert\fR or <\-subject> options and
755 is typically used when authenticating with pre-shared key (password-based \s-1MAC\s0).
756 .IP "\fB\-secret\fR \fIarg\fR" 4
757 .IX Item "-secret arg"
758 Provides the source of a secret value to use with MAC-based message protection.
759 This takes precedence over the \fB\-cert\fR and \fB\-key\fR options.
760 The secret is used for creating MAC-based protection of outgoing messages
761 and for validating incoming messages that have MAC-based protection.
762 The algorithm used by default is Password-Based Message Authentication Code (\s-1PBM\s0)
763 as defined in \s-1RFC 4210\s0 section 5.1.3.1.
766 \&\fBopenssl\-passphrase\-options\fR\|(1).
767 .IP "\fB\-cert\fR \fIfilename\fR|\fIuri\fR" 4
768 .IX Item "-cert filename|uri"
769 The client's current \s-1CMP\s0 signer certificate.
770 Requires the corresponding key to be given with \fB\-key\fR.
773 serve as fallback values in the certificate template of \s-1IR/CR/KUR\s0 messages.
775 The subject of this certificate will be used as sender of outgoing \s-1CMP\s0 messages,
776 while the subject of \fB\-oldcert\fR or \fB\-subjectName\fR may provide fallback values.
779 and as fallback issuer entry in the certificate template of \s-1IR/CR/KUR\s0 messages.
781 When performing signature-based message protection,
782 this \*(L"protection certificate\*(R", also called \*(L"signer certificate\*(R",
785 In Initialization Request (\s-1IR\s0) messages this can be used for authenticating
786 using an external entity certificate as defined in appendix E.7 of \s-1RFC 4210.\s0
788 For Key Update Request (\s-1KUR\s0) messages this is also used as
789 the certificate to be updated if the \fB\-oldcert\fR option is not given.
793 is included in the extraCerts field in signature-protected request messages.
794 .IP "\fB\-own_trusted\fR \fIfilenames\fR|\fIuris\fR" 4
795 .IX Item "-own_trusted filenames|uris"
797 the client-side \s-1CMP\s0 signer certificate given with the \fB\-cert\fR option
801 (where in the latter case the whole argument must be enclosed in \*(L"...\*(R").
805 \&\fB\-verify_hostname\fR, \fB\-verify_ip\fR, and \fB\-verify_email\fR
807 .IP "\fB\-key\fR \fIfilename\fR|\fIuri\fR" 4
808 .IX Item "-key filename|uri"
810 the \fB\-cert\fR option.
811 This will be used for signature-based message protection unless the \fB\-secret\fR
812 option indicating MAC-based protection or \fB\-unprotected_requests\fR is given.
814 It is also used as a fallback for the \fB\-newkey\fR option with \s-1IR/CR/KUR\s0 messages.
815 .IP "\fB\-keypass\fR \fIarg\fR" 4
816 .IX Item "-keypass arg"
817 Pass phrase source for the private key given with the \fB\-key\fR option.
818 Also used for \fB\-cert\fR and \fB\-oldcert\fR in case it is an encrypted PKCS#12 file.
822 \&\fBopenssl\-passphrase\-options\fR\|(1).
823 .IP "\fB\-digest\fR \fIname\fR" 4
824 .IX Item "-digest name"
825 Specifies name of supported digest to use in \s-1RFC 4210\s0's \s-1MSG_SIG_ALG\s0
826 and as the one-way function (\s-1OWF\s0) in \f(CW\*(C`MSG_MAC_ALG\*(C'\fR.
828 proof-of-possession (\s-1POPO\s0) signatures.
829 To see the list of supported digests, use \f(CW\*(C`openssl list \-digest\-commands\*(C'\fR.
831 .IP "\fB\-mac\fR \fIname\fR" 4
832 .IX Item "-mac name"
833 Specifies the name of the \s-1MAC\s0 algorithm in \f(CW\*(C`MSG_MAC_ALG\*(C'\fR.
834 To get the names of supported \s-1MAC\s0 algorithms use \f(CW\*(C`openssl list \-mac\-algorithms\*(…
837 Defaults to \f(CW\*(C`hmac\-sha1\*(C'\fR as per \s-1RFC 4210.\s0
838 .IP "\fB\-extracerts\fR \fIfilenames\fR|\fIuris\fR" 4
839 .IX Item "-extracerts filenames|uris"
841 They can be used as the default \s-1CMP\s0 signer certificate chain to include.
844 (where in the latter case the whole argument must be enclosed in \*(L"...\*(R").
846 .IP "\fB\-unprotected_requests\fR" 4
847 .IX Item "-unprotected_requests"
848 Send request messages without CMP-level protection.
851 .IP "\fB\-certform\fR \fIPEM|DER\fR" 4
852 .IX Item "-certform PEM|DER"
854 Default value is \s-1PEM.\s0
855 .IP "\fB\-keyform\fR \fIPEM|DER|P12|ENGINE\fR" 4
856 .IX Item "-keyform PEM|DER|P12|ENGINE"
858 See \*(L"Format Options\*(R" in \fBopenssl\fR\|(1) for details.
859 .IP "\fB\-otherpass\fR \fIarg\fR" 4
860 .IX Item "-otherpass arg"
861 Pass phrase source for certificate given with the \fB\-trusted\fR, \fB\-untrusted\fR,
862 \&\fB\-own_trusted\fR, \fB\-srvcert\fR, \fB\-out_trusted\fR, \fB\-extracerts\fR,
863 \&\fB\-srv_trusted\fR, \fB\-srv_untrusted\fR, \fB\-rsp_extracerts\fR, \fB\-rsp_capubs\fR,
864 \&\fB\-tls_extra\fR, and \fB\-tls_trusted\fR options.
868 \&\fBopenssl\-passphrase\-options\fR\|(1).
869 .IP "\fB\-engine\fR \fIid\fR" 4
870 .IX Item "-engine id"
871 See \*(L"Engine Options\*(R" in \fBopenssl\fR\|(1).
877 \& \-engine {engineid} \-key {keyid} \-keyform ENGINE
880 \&... it's also possible to just give the key \s-1ID\s0 in \s-1URI\s0 form to \fB\-key\fR,
884 \& \-key org.openssl.engine:{engineid}:{keyid}
887 This applies to all options specifying keys: \fB\-key\fR, \fB\-newkey\fR, and
888 \&\fB\-tls_key\fR.
891 .IP "\fB\-provider\fR \fIname\fR" 4
892 .IX Item "-provider name"
894 .IP "\fB\-provider\-path\fR \fIpath\fR" 4
895 .IX Item "-provider-path path"
896 .IP "\fB\-propquery\fR \fIpropq\fR" 4
897 .IX Item "-propquery propq"
899 See \*(L"Provider Options\*(R" in \fBopenssl\fR\|(1), \fBprovider\fR\|(7), and \fBproperty\fR\|(7).
902 .IP "\fB\-rand\fR \fIfiles\fR, \fB\-writerand\fR \fIfile\fR" 4
903 .IX Item "-rand files, -writerand file"
904 See \*(L"Random State Options\*(R" in \fBopenssl\fR\|(1) for details.
905 .SS "\s-1TLS\s0 connection options"
907 .IP "\fB\-tls_used\fR" 4
908 .IX Item "-tls_used"
909 Enable using \s-1TLS\s0 (even when other TLS-related options are not set)
910 for message exchange with \s-1CMP\s0 server via \s-1HTTP.\s0
911 This option is not supported with the \fI\-port\fR option.
912 It is ignored if the \fI\-server\fR option is not given or \fI\-use_mock_srv\fR is given
913 or \fI\-rspin\fR is given with enough filename arguments.
915 The following TLS-related options are ignored
916 if \fB\-tls_used\fR is not given or does not take effect.
917 .IP "\fB\-tls_cert\fR \fIfilename\fR|\fIuri\fR" 4
918 .IX Item "-tls_cert filename|uri"
919 Client's \s-1TLS\s0 certificate.
920 If the source includes further certs they are used (along with \fB\-untrusted\fR
921 certs) for constructing the client cert chain provided to the \s-1TLS\s0 server.
922 .IP "\fB\-tls_key\fR \fIfilename\fR|\fIuri\fR" 4
923 .IX Item "-tls_key filename|uri"
924 Private key for the client's \s-1TLS\s0 certificate.
925 .IP "\fB\-tls_keypass\fR \fIarg\fR" 4
926 .IX Item "-tls_keypass arg"
927 Pass phrase source for client's private \s-1TLS\s0 key \fB\-tls_key\fR.
928 Also used for \fB\-tls_cert\fR in case it is an encrypted PKCS#12 file.
932 \&\fBopenssl\-passphrase\-options\fR\|(1).
933 .IP "\fB\-tls_extra\fR \fIfilenames\fR|\fIuris\fR" 4
934 .IX Item "-tls_extra filenames|uris"
935 Extra certificates to provide to \s-1TLS\s0 server during \s-1TLS\s0 handshake
936 .IP "\fB\-tls_trusted\fR \fIfilenames\fR|\fIuris\fR" 4
937 .IX Item "-tls_trusted filenames|uris"
938 Trusted certificate(s) to use for validating the \s-1TLS\s0 server certificate.
942 (where in the latter case the whole argument must be enclosed in \*(L"...\*(R").
946 \&\fB\-verify_hostname\fR, \fB\-verify_ip\fR, and \fB\-verify_email\fR
948 .IP "\fB\-tls_host\fR \fIname\fR" 4
949 .IX Item "-tls_host name"
951 This may be a \s-1DNS\s0 name or an \s-1IP\s0 address.
952 If not given it defaults to the \fB\-server\fR address.
953 .SS "Client-side debugging options"
954 .IX Subsection "Client-side debugging options"
955 .IP "\fB\-batch\fR" 4
956 .IX Item "-batch"
959 .IP "\fB\-repeat\fR \fInumber\fR" 4
960 .IX Item "-repeat number"
963 .IP "\fB\-reqin\fR \fIfilenames\fR" 4
964 .IX Item "-reqin filenames"
965 Take the sequence of \s-1CMP\s0 requests to send to the server from the given file(s)
968 This option is ignored if the \fB\-rspin\fR option is given
972 (where in the latter case the whole argument must be enclosed in \*(L"...\*(R").
981 This causes re-protection (if protecting requests is required).
982 .IP "\fB\-reqin_new_tid\fR" 4
983 .IX Item "-reqin_new_tid"
984 Use a fresh transactionID for \s-1CMP\s0 request messages read using \fB\-reqin\fR,
987 and the \s-1CMP\s0 server complains that the transaction \s-1ID\s0 has already been used.
988 .IP "\fB\-reqout\fR \fIfilenames\fR" 4
989 .IX Item "-reqout filenames"
990 Save the sequence of \s-1CMP\s0 requests created by the client to the given file(s).
991 These requests are not sent to the server if the \fB\-reqin\fR option is used, too.
998 .IP "\fB\-rspin\fR \fIfilenames\fR" 4
999 .IX Item "-rspin filenames"
1000 Process the sequence of \s-1CMP\s0 responses provided in the given file(s),
1006 Any server specified via the \fI\-server\fR or \fI\-use_mock_srv\fR options is contacted
1010 .IP "\fB\-rspout\fR \fIfilenames\fR" 4
1011 .IX Item "-rspout filenames"
1012 Save the sequence of actually used \s-1CMP\s0 responses to the given file(s).
1013 These have been received from the server unless \fB\-rspin\fR takes effect.
1020 .IP "\fB\-use_mock_srv\fR" 4
1021 .IX Item "-use_mock_srv"
1022 Test the client using the internal \s-1CMP\s0 server mock-up at \s-1API\s0 level,
1023 bypassing socket-based transfer via \s-1HTTP.\s0
1024 This excludes the \fB\-server\fR and \fB\-port\fR options.
1027 .IP "\fB\-port\fR \fInumber\fR" 4
1028 .IX Item "-port number"
1029 Act as HTTP-based \s-1CMP\s0 server mock-up listening on the given port.
1030 This excludes the \fB\-server\fR and \fB\-use_mock_srv\fR options.
1031 The \fB\-rspin\fR, \fB\-rspout\fR, \fB\-reqin\fR, and \fB\-reqout\fR options
1033 .IP "\fB\-max_msgs\fR \fInumber\fR" 4
1034 .IX Item "-max_msgs number"
1035 Maximum number of \s-1CMP\s0 (request) messages the \s-1CMP HTTP\s0 server mock-up
1039 detects a CMP-level error that it can successfully answer with an error message.
1040 .IP "\fB\-srv_ref\fR \fIvalue\fR" 4
1041 .IX Item "-srv_ref value"
1042 Reference value to use as senderKID of server in case no \fB\-srv_cert\fR is given.
1043 .IP "\fB\-srv_secret\fR \fIarg\fR" 4
1044 .IX Item "-srv_secret arg"
1045 Password source for server authentication with a pre-shared key (secret).
1046 .IP "\fB\-srv_cert\fR \fIfilename\fR|\fIuri\fR" 4
1047 .IX Item "-srv_cert filename|uri"
1049 .IP "\fB\-srv_key\fR \fIfilename\fR|\fIuri\fR" 4
1050 .IX Item "-srv_key filename|uri"
1052 .IP "\fB\-srv_keypass\fR \fIarg\fR" 4
1053 .IX Item "-srv_keypass arg"
1055 .IP "\fB\-srv_trusted\fR \fIfilenames\fR|\fIuris\fR" 4
1056 .IX Item "-srv_trusted filenames|uris"
1060 \&\fB\-verify_hostname\fR, \fB\-verify_ip\fR, and \fB\-verify_email\fR
1062 .IP "\fB\-srv_untrusted\fR \fIfilenames\fR|\fIuris\fR" 4
1063 .IX Item "-srv_untrusted filenames|uris"
1064 Intermediate \s-1CA\s0 certs that may be useful when validating client certificates.
1065 .IP "\fB\-rsp_cert\fR \fIfilename\fR|\fIuri\fR" 4
1066 .IX Item "-rsp_cert filename|uri"
1068 .IP "\fB\-rsp_extracerts\fR \fIfilenames\fR|\fIuris\fR" 4
1069 .IX Item "-rsp_extracerts filenames|uris"
1071 .IP "\fB\-rsp_capubs\fR \fIfilenames\fR|\fIuris\fR" 4
1072 .IX Item "-rsp_capubs filenames|uris"
1073 \&\s-1CA\s0 certificates to be included in mock Initialization Response (\s-1IP\s0) message.
1074 .IP "\fB\-poll_count\fR \fInumber\fR" 4
1075 .IX Item "-poll_count number"
1077 .IP "\fB\-check_after\fR \fInumber\fR" 4
1078 .IX Item "-check_after number"
1080 .IP "\fB\-grant_implicitconf\fR" 4
1081 .IX Item "-grant_implicitconf"
1083 .IP "\fB\-pkistatus\fR \fInumber\fR" 4
1084 .IX Item "-pkistatus number"
1087 .IP "\fB\-failure\fR \fInumber\fR" 4
1088 .IX Item "-failure number"
1091 .IP "\fB\-failurebits\fR \fInumber\fR Number representing failure bits to be included in server res…
1092 .IX Item "-failurebits number Number representing failure bits to be included in server response. V…
1094 .IP "\fB\-statusstring\fR \fIarg\fR" 4
1095 .IX Item "-statusstring arg"
1098 .IP "\fB\-send_error\fR" 4
1099 .IX Item "-send_error"
1101 .IP "\fB\-send_unprotected\fR" 4
1102 .IX Item "-send_unprotected"
1103 Send response messages without CMP-level protection.
1104 .IP "\fB\-send_unprot_err\fR" 4
1105 .IX Item "-send_unprot_err"
1107 certificate responses (\s-1IP/CP/KUP\s0), and revocation responses (\s-1RP\s0).
1108 \&\s-1WARNING:\s0 This setting leads to behavior violating \s-1RFC 4210.\s0
1109 .IP "\fB\-accept_unprotected\fR" 4
1110 .IX Item "-accept_unprotected"
1112 .IP "\fB\-accept_unprot_err\fR" 4
1113 .IX Item "-accept_unprot_err"
1116 .IP "\fB\-accept_raverified\fR" 4
1117 .IX Item "-accept_raverified"
1118 Accept \s-1RAVERIFED\s0 as proof of possession (\s-1POPO\s0).
1119 .SS "Certificate verification options, for both \s-1CMP\s0 and \s-1TLS\s0"
1121 …-allow_proxy_certs\fR, \fB\-attime\fR, \fB\-no_check_time\fR, \fB\-check_ss_sig\fR, \fB\-crl_check…
1122 …-allow_proxy_certs, -attime, -no_check_time, -check_ss_sig, -crl_check, -crl_check_all, -explicit_…
1124 See \*(L"Verification Options\*(R" in \fBopenssl\-verification\-options\fR\|(1) for details.
1127 \&\fB\-verify_hostname\fR, \fB\-verify_ip\fR, and \fB\-verify_email\fR
1128 only affect the certificate verification enabled via the \fB\-out_trusted\fR option.
1131 When a client obtains from a \s-1CMP\s0 server \s-1CA\s0 certificates that it is going to
1133 authentication of the \s-1CMP\s0 server is particularly critical.
1135 using \fB\-trusted\fR and related options for certificate-based authentication
1136 or \fB\-secret\fR for MAC-based protection.
1138 When setting up \s-1CMP\s0 configurations and experimenting with enrollment options
1140 When the \s-1CMP\s0 server reports an error the client will by default
1141 check the protection of the \s-1CMP\s0 response message.
1142 Yet some \s-1CMP\s0 services tend not to protect negative responses.
1145 For assisting in such cases the \s-1CMP\s0 client offers a workaround via the
1146 \&\fB\-unprotected_errors\fR option, which allows accepting such negative messages.
1151 This \s-1CMP\s0 client implementation comes with demonstrative \s-1CMP\s0 sections
1153 which can be used to interact conveniently with the Insta Demo \s-1CA.\s0
1155 In order to enroll an initial certificate from that \s-1CA\s0 it is sufficient
1162 .Vb 2
1163 \& openssl genrsa \-out insta.priv.pem
1164 \& openssl cmp \-section insta
1172 \& openssl x509 \-noout \-text \-in insta.cert.pem
1175 In case the network setup requires using an \s-1HTTP\s0 proxy it may be given as usual
1176 via the environment variable \fBhttp_proxy\fR or via the \fB\-proxy\fR option in the
1177 configuration file or the \s-1CMP\s0 command-line argument \fB\-proxy\fR, for example
1180 \& \-proxy http://192.168.1.1:8080
1183 In the Insta Demo \s-1CA\s0 scenario both clients and the server may use the pre-shared
1186 Alternatively, \s-1CMP\s0 messages may be protected in signature-based manner,
1188 and the client may use any certificate already obtained from that \s-1CA,\s0
1193 \& openssl cmp \-section insta,signature
1196 By default the \s-1CMP IR\s0 message type is used, yet \s-1CR\s0 works equally here.
1200 \& openssl cmp \-section insta \-cmd cr
1206 \& openssl cmp \-section insta,cr
1212 \& openssl cmp \-section insta,kur
1215 using MAC-based protection with \s-1PBM\s0 or
1218 \& openssl cmp \-section insta,kur,signature
1221 using signature-based protection.
1226 \& openssl cmp \-section insta,rr \-trusted insta.ca.crt
1232 \& openssl cmp \-section insta,rr,signature
1237 For instance, the \fB\-reqexts\fR \s-1CLI\s0 option may refer to a section in the
1242 \& openssl cmp \-section insta,cr \-reqexts v3_req
1247 They assume that a \s-1CMP\s0 server can be contacted on the local \s-1TCP\s0 port 80
1251 and sends an initial request message to the local \s-1CMP\s0 server
1252 using a pre-shared secret key for mutual authentication.
1253 In this example the client does not have the \s-1CA\s0 certificate yet,
1254 so we specify the name of the \s-1CA\s0 with the \fB\-recipient\fR option
1255 and save any \s-1CA\s0 certificates that we may receive in the \f(CW\*(C`capubs.pem\*(C'\fR file.
1261 \& openssl genrsa \-out cl_key.pem
1262 \& openssl cmp \-cmd ir \-server 127.0.0.1:80/pkix/ \-recipient "/CN=CMPserver" \e
1263 \& \-ref 1234 \-secret pass:1234\-5678 \e
1264 \& \-newkey cl_key.pem \-subject "/CN=MyName" \e
1265 \& \-cacertsout capubs.pem \-certout cl_cert.pem
1276 \& openssl genrsa \-out cl_key_new.pem
1277 \& openssl cmp \-cmd kur \-server 127.0.0.1:80/pkix/ \e
1278 \& \-trusted capubs.pem \e
1279 \& \-cert cl_cert.pem \-key cl_key.pem \e
1280 \& \-newkey cl_key_new.pem \-certout cl_cert.pem
1285 .SS "Requesting information from \s-1CMP\s0 server"
1287 Requesting \*(L"all relevant information\*(R" with an empty General Message.
1288 This prints information about all received \s-1ITAV\s0 \fBinfoType\fRs to stdout.
1290 .Vb 2
1291 \& openssl cmp \-cmd genm \-server 127.0.0.1/pkix/ \-recipient "/CN=CMPserver" \e
1292 \& \-ref 1234 \-secret pass:1234\-5678
1296 For \s-1CMP\s0 client invocations, in particular for certificate enrollment,
1297 usually many parameters need to be set, which is tedious and error-prone to do
1322 \& secret = pass:1234\-5678\-1234\-567
1329 .Vb 2
1330 \& openssl cmp \-section cmp,init
1331 \& openssl cmp \-cmd kur \-newkey cl_key_new.pem
1337 \& openssl cmp \-section cmp,init \-cmd genm
1341 \&\fBopenssl\-genrsa\fR\|(1), \fBopenssl\-ecparam\fR\|(1), \fBopenssl\-list\fR\|(1),
1342 \&\fBopenssl\-req\fR\|(1), \fBopenssl\-x509\fR\|(1), \fBx509v3_config\fR\|(5)
1347 The \fB\-engine option\fR was deprecated in OpenSSL 3.0.
1350 Copyright 2007\-2023 The OpenSSL Project Authors. All Rights Reserved.
1352 Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use
1354 in the file \s-1LICENSE\s0 in the source distribution or at